After getting tiered of the shortcomings of commercial network equipment I decided to invest in some professional devices. However, investigating the different brands are even more difficult than for commercial products. In the end I decided to go for MikroTik, due to their small office offerings. The devices are great and when first connecting to them you realise their potential through the sheer volume of configuration. As expected you need to design and configure you network to get it to work at all. This made me realise that I have not touched professional network equipment since university, and that was Cisco equipment. To my dread I could not find a good guide on how to configure a simple network with my equipment, so after finishing this is my guide.
Goals
When setting up our network we have a couple of goals. Namely we want a stable network where we can plug in wired devices, as well as connect via Wi-Fi. For now we are happy with creating a single wireless network that all devices connect to, and that is not separated from the wired network. However, it would be possible to create a secondary guest network, separated from our trusted devices.
In addition to the main goal the network should be as easy to maintain as possible. The less configuration that can break the better, and the more resilient it is to changes the better.
Equipment and Terminology
Due to the configurability of the RouterOS firmware (the firmware used by MikroTik devices) this guide will likely be applicable for other devices as well. However, it is only tested with my setup of a wireless access point, and a router/switch combo.
To make it easier to follow along while using other devices this guide will use the name (or Identity in RouterOS terms) cap for the access-point and capMan for the router/switch. The table below gives an overview of the name and role of each device.
Device | Model | Identity | Role |
---|---|---|---|
Wireless Access Point | wAP | CAP | The access-point used to provide Wi-Fi access |
Router/Switch | hEX PoE | CAPMAN | The router switch combo used as the center of the network. It will be the manager configuring the access-point. |
To achieve our goal of maintainability we will use a function called CAPsMAN (Controlled Access Point system Manager). This will allow us to centrally manage the access point (and new access-points in the future) from a centralised point. The router will then send updates to all access-points, removing the need to manage them one by one.
Steps
So how to configure a wireless network with MikroTik devices? I’ve broken it down into two steps, first the preparations, and then configuring the Wi-Fi network.
Preparation
The first step to any network configuration is to ensure that each device is reachable and has a recognisable identity (name). I found that it was easiest to factory reset the access-point from the GUI, and choosing the cap preset. This puts the device into a bridge mode, disabling all router functionality and NAT. This gave a good starting point for the rest of the configuration.
With a reset access-point it is time to ensure that each device have a recognisable identity. As described in Equipment and Terminology I will use CAP for the access-point and CAPMAN for the router. It is also important to ensure that the devices has good passwords and are up to date, so I recommend doing so now.
To make it easier to troubleshoot the network I also recommend setting a static DHCP lease for the CAP device. In my case the following IP configuration is used:
Device | Name | IP |
---|---|---|
Router | CAPMAN | 192.168.88.1 |
Access-Point | CAP | 192.168.88.2 |
Configuring a Wireless Network with MikroTik Devices
With our network in a state were we have a connection between CAPMAN and CAP we can begin to configure the network. The first step is to configure CAP to ask CAPMAN for configurations. This is done by using [admin@CAP] > /interface wireless cap set caps-man-addresses 192.168.88.1
. This command sets the address of the manager and ensures that it is the one responsible for the configuration.
Next up we need to configure the wireless network. This is done in multiple steps, as shown below.
[admin@CAPMAN] > /caps-man security add name="wpa2psk" authentication-types=wpa2-psk encryption=aes-ccm
[admin@CAPMAN] > /caps-man security set 0 passphrase=[REDACTED]
[admin@CAPMAN] > /caps-man configuration add name=master-cfg ssid=[My-Wifi-Network] security=wpa2psk country=sweden
[admin@CAPMAN] > /caps-man provisioning add action=create-dynamic-enabled master-configuration=master-cfg
[admin@CAPMAN] > /caps-man configuration set 0 datapath.bridge=bridge
[admin@CAPMAN] > /caps-man manager set enabled yes
The first command will create a new security configuration, specifying that the Wi-Fi shall use wpa2-psk for authentication and AES encryption. After that we set the password. This is the password used to connect to the wireless network when it gets activated. The third step is to set the name of the Wi-Fi (the SSID). Note that we do not want to configure a band here. This will allow the CAP to create a network on 2.4ghz as well as on 5ghz. Otherwise, it would only create the network on the configured band. If we wish to configure the a second Wi-Fi, we would create a second configuration here and add it as a slave configuration in the next step. On line 5 we provision the network to be created. This tells CAPMAN what configuration to push to what device. This means that if you have multiple devices you can set what devices to push it to. For more information use the built-in help or the online documentation for provisioning. The last row is the thing that got me confused. It tells the CAPMAN what bridge (interfaces) the network should be attached to. In my case this is the default bridge, and this allows devices to connected to the Wi-Fi to access the network. The last step is to enable the CAPsMAN configuration on CAPMAN. This turns the configuration on and you should now be able to see your wireless network and connect to it.
Note that if you wish to change something in an existing configuration you need to remove the configured interfaces and then trigger a re provision. This is done by:
[admin@CAPMAN] > /caps-man interface print
# This shows all interfaces, remove all interfaces
[admin@CAPMAN] > /caps-man interface remove 0
[admin@CAPMAN] > /caps-man remote-cap print
[admin@CAPMAN] > /caps-man remote-cap provision 0
# Reprovision all CAPs
There are lots more that can be done with CAPsMAN, but this should be a good starting point. However, I recommend the MikroTik wiki to read up more on the options. There might be other things relevant for your needs.
Summary
Setting up a wireless network with MikroTik infrastructure is quite easy, when you know what steps to take. The steps to take are on the managing device (CAPMAN):
- Set CAP to use CAPMAN for configuration.
- Configure the security to use for the Wi-Fi.
- Configure the password for the network.
- Create a network configuration to use.
- Provision the configuration to be pushed to access-points.
- Configure datapath for the wireless network.
- Enable the network
And on the CAP:
- Configure the CAPsMAN manager to use.
This should allow your CAPMAN to dynamically configure any access-points connected to provide network access.